On Wed, Sep 5, Kenneth Michael Ashcraft wrote:
> Hi All,
>
> I've extended the security checker (makes sure that user lengths are
> bounds checked) quite a bit since my last report on July 13. The checker
> makes sure that bounds checks are present before a user length is:
...
> ---------------------------------------------------------
> [BUG] this one looks nasty. not only copy a large amount but copy it wherever (gem)
> /home/kash/linux/2.4.9/drivers/net/wan/farsync.c:1214:fst_ioctl: ERROR:RANGE:1203:1214: Using user length "size" as argument to "copy_from_user" [type=LOCAL] [state = need_ub] set by 'copy_from_user':1203 [distance=12]
I'd agree it's nasty. Don't you just love overflow math.
Fortunatly the fix is straight forward:
--- linux/drivers/net/wan/farsync.c.orig Sun Aug 12 18:38:48 2001
+++ linux/drivers/net/wan/farsync.c Wed Sep 5 09:52:33 2001
@@ -1200,7 +1200,8 @@
/* Sanity check the parameters. We don't support partial writes
* when going over the top
*/
- if ( wrthdr.size + wrthdr.offset > FST_MEMSIZE )
+ if ( wrthdr.size > FST_MEMSIZE || wrthdr.offset > FST_MEMSIZE
+ || wrthdr.size + wrthdr.offset > FST_MEMSIZE )
{
return -ENXIO;
}
--
Bob Dunlop
FarSite Communications Ltd.
http://www.farsite.co.uk/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/